GDPR One Year On: Did Anything Really Change?

By Nigel Tozer

This time last year was like a data protection whirlwind, like never before, with stories about personal data being shifted, sold, used and abused hitting the headlines. After a two-year build-up, the looming General Data Protection Regulation (GDPR) was about to become real, and its main effect was: confusion, and lots of emails.

A year later and we’re in a strange place where in many ways nothing has changed, and in other ways, everything has changed.

Before May 2018: Confusion reigns

If you’re a Data Protection Officer (DPO), GDPR is pretty clear on what it’s about. In some cases it wasn’t actually that new. In Germany the laws were already stricter and in United Kingdom (UK) terms GDPR is about 90 percent the same as the laws it replaced. The media headlines about fines got a lot more people interested, though, right up to the boardroom. And this information in the hands of those new to data protection is what caused much of the confusion. For many, an attitude of over-cautiousness was the default reaction.

The main outpouring of this risk-averse approach was a slew of “re-consent” emails filling everyone’s mailboxes. Those later gave way to “read our new privacy policy” emails instead. I heard TV and radio interviews about business, large and small, too afraid to contact their existing customers, with many media outlets and so-called experts confusing privacy with security. The now ubiquitous cookie wall also sprang into life everywhere, too, also with perplexing or plain impossible-to-work options. No wonder people were confused.

Nothing has changed (in too many places)

Sadly, I still see the activities of many companies seemingly ignoring the existence of GDPR, hiding behind over-complicated privacy policies, with catch-all terms put in place purely as a corporate defence tactic. I also engage with a lot of organisations that still have little clue about what personal data they hold, how they collect it, why they do it and also lack any deletion strategy. But their security is great! So that’s OK, right? Except it really isn’t, as that’s not the point of GDPR.

There also seems to be just as many data breaches as ever, if not more. The good news is that reporting data breaches across Europe is up, but many of these are again a sign of over caution. And the fines? There have been some, but not as many or as big as expected by some commentators – though the real experts in data protection will tell you the wheels grind slowly in this area. Some recent fines were issued on the previous regulations. 

Everything has changed

There have been a lot of positives though. The profile of privacy and data protection has risen significantly around the globe, and the average person in the street now understands much more than they did before. While GDPR got much of the limelight, similar regulations came into force in South America (more to follow) and around the world. Canada has enacted further legislation in this area. Even in the U.S., companies are preparing for the California Consumer Privacy Act (CCPA). Revelations about the use of Personally Identifiable Information (PII) by Facebook and other big tech companies are also driving the U.S. ever closer to a federal privacy law.

Back to GDPR for a moment. It’s worth remembering that many data breaches can take six months or longer to come light, as well as investigations for other transgressions too. So if you’re a “fine watcher” or as they say in a Germany, a “schadenfreude,” you’re probably in for more entertainment in year two of GDPR.

The privacy wars

So the answer, ultimately, is yes, plenty has changed. One interesting outcome of GDPR, and the increase in knowledge about the privacy issues of digital technologies in the general public, is that “big tech” now seems to be tripping over themselves to tell you how they protect your privacy. Companies like Apple, Facebook, Google and Microsoft have all publicly communicated about what they’re doing in this area, though their actions do vary substantially.

Everyone has their own view on privacy, so I’ll leave you to decide as to whether you think each of them is doing enough for you. My own personal view is that they are all best kept at arm’s length where a federal U.S. law is concerned; there are plenty of experts available that will put the best interest of people first, rather than big tech.

In June I’ll be presenting and running a panel session at the Data Protection World Forum in London, so if you’re attending come and say hello. If you can’t make it but want to know about where data management meets data protection/privacy, then please check out a recent webinar I did with Ray Ford from the GDPR Associates, on exactly this topic.